Security Review - False Positive for SOQL Injection - Configuration Data (Input only by System Admin User)
No this is not a false positive and your app can fail Salesforce security review process due to this!
Since this is a user input there are chances that users can put in a SOQL that can have a security flaw!
It's always recommended you put enough guardrails and security checks in your code.
I would make sure to adopt techniques such as character replace or block listing to secure the code.
Read through all the techniques explained here to make sure you have sufficient validations in your code or have a UI that's less free text and more of a picker so user does not enter something that can cause issue.
Mohith is correct that this isn't a simple "false positive" and you do need to engineer the use of the setting/property appropriately. Since this is actually looking to provide a filter, and thus is providing content for an SOQL (or SOSL) WHERE clause, this needs to be handled in a different way to handling security concerns for user inputs that are themselves inserted as values.
Based on our own experiences doing much the same and passing security review:
- Always insert the filter expression into the query by wrapping it in parentheses. This has several benefits:
- If you have other WHERE clause terms that are always applied, the inserted filter expression will be applied with appropriate precedence in comparison, regardless of how it is internally structured
- Any attempt to use other keywords, such as GROUP BY or LIMIT in the filter expression, will result in syntax errors rather than exposing a vector for security circumvention
- Explicitly comment the absence of use of single quote escaping as reasonable, and not a security issue, given that the filter is not a value but instead one or more WHERE clause terms.
It should be noted that, since you have used parentheses, you can be certain that only an entirely balanced WHERE clause snippet will work. Even if someone tried to inject inappropriate terms, such as ORDER BY, into the snippet this will not work; there would be an unbalanced number of parentheses in the query and the query will not be executed or these keywords would be embedded within the WHERE which is not legal SOQL/SOSL.